Configuring Common Secure Interoperability Version 2 (CSIV2) - PCI Compliance

TL;DR

To enable CSIv2 for inbound and outbound launch the wsadmin tool with -lang jython and issue the following command:

AdminTask.configureCSIOutbound('[-transportLayer 'SSL-required']')
AdminTask.configureCSIInbound('[-transportLayer 'SSL-required' ]')
AdminConfig.save()

Using the console:

Set the inbound and outbound transports in the administrative console. Make sure that administrative security is enabled.

• WebSphere Application Server Version 7.0: Click Security > Global Security > RMI/IIOP Security > CSIv2 inbound [outbound[ communications. Change the transport type under the CSIv2 Transport Layer to SSL-Required.

Transport values:

TCP/IP
SSL-required
SSL-supported

CSIv2 stands for the Common Secure Interoperability Version 2 (CSIV2) and can be found in the inbound and outbound communication settings.

FIPS Compliance-Part II. IBMJCEFIPS not found for IBMSecureRandom

TL;DR

Add the following lines to the java.security ([java_homedir]/jre/lib/security/java.security) file:

security.provider.1=com.ibm.securerandom.provider.IBMSecureRandom
security.provider.2=com.ibm.crypto.provider.IBMJCE

Explanation of the issue:

After enabling the FIPS compliance you might encounter the following errors in the log file once you try to restart the Application server:

Log details:

com.ibm.websphere.ssl.JSSEHelper.getSSLContext 704
com.ibm.ws.security.orbssl.WSSSLServerSocketFactoryImpl.createSSLServerSocket 459
com.ibm.ws.orbimpl.transport.WSTransport.createServerSocket 1439
com.ibm.ws.orbimpl.transport.WSTransport createServerSocket P=312105:O=0:CT ORBX0390E: Cannot create listener thread.
Exception=[ org.omg.CORBA.INTERNAL: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_SERVER_SOCKET,
Exception=com.ibm.websphere.ssl.SSLException:
java.lang.RuntimeException: Provider IBMJCEFIPS not found for IBMSecureRandom
vmcid: 0x49421000 minor code: 77 completed: No - received while attempting to open server socket on port 1072 ].
com.ibm.ws.orbimpl.transport.WSTransport.startListening 805
com.ibm.ws.orbimpl.transport.WSTransport.createListener 724

The easiest way to fix it is by adding the missing IBM SecureRandom provider into the list before the IBM JCE provider inside the java.security ([java_homedir]/jre/lib/security/java.security):

security.provider.1=com.ibm.securerandom.provider.IBMSecureRandom
security.provider.2=com.ibm.crypto.provider.IBMJCE

FIPS Compliance-Part I. How to enable the FIPS

How to Enable the FIPS in WebSphere Application Server?

Login to the web console (http[s]://[hostname]:port/ibm/console) and navigate to:

1. Security > SSL certificate and key management.
2. Go to Manage FIPS
3. Select the check box to Use the United States Federal Information Processing Standard (FIPS 140-2) algorithms
4. Click Apply.
5. Save the configuration changes.

Next, set the environment variable to restrict the IBMJSSE2 provider to FIPS-compliant algorithms:

1. Servers > Application servers, and choose your application server
2. In the 'Configuration' tab, select the Server Infrastructure field
3. Click on the Java and Process Management > Process Definition
4. In the Additional Properties field, click Java Virtual Machine
5. Inside the Generic JVM Arguments field add the value: -Dcom.ibm.jsse2.usefipsprovider=true
6. Or, add the -Dcom.ibm.jsse2.usefipsprovider=true property to the jvm.options file

SOA Web Services Security Testing

Today, while I was searching for some information regarding SOA and security in web services, I found this article written by one of my colleagues.

Here is the link to  the article:


http://ipsec.pl/web-application-security/2013/web-services-security-testing.html